CVE-2023-38499
LOWTYPO3 <9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 - Info Disclosure
Title source: llmDescription
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r
Patch x_refsource_misc
https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2023-003
Scores
CVSS v3
3.7
EPSS
0.0211
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
typo3/cms-core
9.4.0 - 9.5.42Packagist
typo3/typo3
9.4.0 - 9.5.42
Published
Jul 25, 2023
Tracked Since
Feb 18, 2026